> Mmmm, great, so we have the problem of a LAN bridged to
> heaven-knows-where, with possibly several unfriendly parties on
> the LAN trying to out-ARP each other. The bad ARP responses are
> bad stuff, but the solution is not to flood the LAN with ever
> higher rates of traffic, *especially* if any part of the bridged
> network acts as a bandwidth bottleneck, or behaves badly in the
> presence of multicast/broadcast LAN frames.
If someone tries to impersonate my machine I really have to assume
that something serious is up. If I don't defend my IP it will allow
the attacker to steal my mail or impersonate my machine. If it is the
prelude to a break-in elsewhere I'll have a heck of a time proving
that I didn't break into somewhere from this IP. (I could really do
without Joe Gumshoe confiscating my computer and all backup tapes as
evidence in some trial that gets scheduled 1 year down the road.)
> A better approach is not to throw frames into the LAN until
> it congests, but rather to seek to avoid using ARP at all if
> unfriendly or misconfigured parties can answer ARPs improperly.
Whenever an arp contest between the gateway and some imposter happens
I do wire down all the important MAC addresses that I know. I've got
a script file all set up to go. I clearly don't want to wire them
down as a matter of course because equipment does get replaced.
-wolfgang
--
Wolfgang Rupprecht <wolfgang@wsrcc.com> http://www.wsrcc.com/wolfgang/
Coming soon: GPS mapping tools for Open Systems. http://www.gnomad-mapping.com/